# Attacks and Countermeasures for White-box Designs

@article{Biryukov2018AttacksAC, title={Attacks and Countermeasures for White-box Designs}, author={Alex Biryukov and Aleksei Udovenko}, journal={IACR Cryptol. ePrint Arch.}, year={2018}, volume={2018}, pages={49} }

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging…

## 28 Citations

### Another Look on Bucketing Attack to Defeat White-Box Implementations

- Computer Science, MathematicsCOSADE
- 2019

This paper turns a cryptanalysis technique, called statistical bucketing attack, into a computational analysis one allowing an efficient key recovery from software execution traces, and extends it to target AES white-box implementations.

### On the practical security of white-box cryptography. (De la théorie à la pratique de la cryptographie en boite blanche)

- Computer Science, Mathematics
- 2020

This thesis could break the winning implementations of two consecutive editions of the well-known WhibOx white-box cryptography competition and describes how to combine state-of-the-art countermeasures to resist gray-box attacks and comprehensively elaborate on the (in)effectiveness of these combined countermeasures in terms of computation complexity.

### A DFA Attack on White-Box Implementations of AES with External Encodings

- Computer ScienceSAC
- 2019

This paper presents a new DFA attack on a class of white-box implementations of AES that use a specific type of external encoding on the output that is dominated by \(2^{32}\) executions of the white- box implementation.

### How to reveal the secrets of an obscure white-box implementation

- Computer Science, MathematicsJournal of Cryptographic Engineering
- 2019

A detailed description of the different steps of the linear decoding analysis that is used to extract the key from the encoded intermediate variables of the target challenge is given, and it is generalized to an attack methodology to break further obscure white-box implementations.

### A White-Box Masking Scheme Resisting Computational and Algebraic Attacks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

A novel generic masking scheme that can resist both DCA and algebraic DCA attacks is proposed and the connection between two main security notions in white-box cryptography: probing security and prediction security is demonstrated.

### Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

A new paradigm for the gray-box attack against white-box cryptography is proposed, which exploits the data-dependency of the target implementation and provides substantial complexity improvements over the existing attacks.

### Higher-Order DCA against Standard Side-Channel Countermeasures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This attack builds on the same principles as DPA in the classical side-channel context, but uses computational traces consisting of plain values computed by the implementation during execution to recover the key of many existing AES white-box implementations.

### Balanced Encoding of Near-Zero Correlation for an AES Implementation

- Computer Science
- 2022

This paper proposes a secure internal encoding method of an AES implementation that is about half the table size required by the white-box AES implementation, which is vulnerable to power analysis, and is about three times the amount of operations requiredBy the straightforward AES implementation.

### Improvement on a Masked White-Box Cryptographic Implementation

- Computer Science, MathematicsIEEE Access
- 2020

A white-box AES (WB-AES) implementation applying the masking technique to the key-dependent intermediate value and the several outer-round outputs computed by partial bits of the key can protect against DCA variants including DCA with a 2-byte key guess, collision, and bucketing attacks.

### Dummy Shuffling against Algebraic Attacks in White-box Implementations

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

A refreshing technique for dummy shuffling is introduced and it allows to achieve close to optimal protection in the model for arbitrary degrees of the attack, thus solving the open problem of protection against the algebraic attack in the BU-model.

## References

SHOWING 1-10 OF 35 REFERENCES

### Cryptanalysis of a White Box AES Implementation

- Computer Science, MathematicsSelected Areas in Cryptography
- 2004

This paper explains in details how to extract the whole AES secret key embedded in such a white box AES implementation, with negligible memory and worst time complexity 230.

### Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough

- Computer Science, MathematicsCHES
- 2015

This paper presents a new approach to assess the security of white-box implementations which requires neither knowledge about the look-up tables used nor any reverse engineering effort.

### White-Box Cryptography and an AES Implementation

- Computer Science, MathematicsSelected Areas in Cryptography
- 2002

Encrypted-composed-function methods intended to provide a practical degree of protection against white-box (total access) attacks in untrusted execution environments are discussed.

### White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

This work presents a first white-box implementation of AES on reconfigurable hardware for which it is shown that such an implementation does not provide sufficient protection against an SCA attacker and presents additional results which can be used to build stronger white- box designs.

### Analysis of Software Countermeasures for Whitebox Encryption

- Computer Science, MathematicsIACR Trans. Symmetric Cryptol.
- 2017

It is found that if in addition to control flow obfuscation, one were to randomize the locations of the LUTs in the memory, then it is very difficult to perform the DCA on the resultant system using such table inputs and extract the secret key in reasonable time.

### Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract)

- Computer Science, MathematicsASIACRYPT
- 2014

This paper designs several encryption schemes based on the ASASA structure ranging from fast and generic symmetric ciphers to compact public key and white-box constructions based on generic affine transformations combined with specially designed low degree non-linear layers.

### Another Nail in the Coffin of White-Box AES Implementations

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

A new attack against the original implementation of Chow et al. (SAC 2002) of AES is described, which efficiently recovers the AES secret key as well as the private external encodings in complexity 2, and it is shown that the last candidate white-box AES implementation can be broken by a direct application of either Billet etAl.

### How to reveal the secrets of an obscure white-box implementation

- Computer Science, MathematicsJournal of Cryptographic Engineering
- 2019

A detailed description of the different steps of the linear decoding analysis that is used to extract the key from the encoded intermediate variables of the target challenge is given, and it is generalized to an attack methodology to break further obscure white-box implementations.

### Clarifying obfuscation: improving the security of white-box DES

- Computer ScienceInternational Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II
- 2005

This work has implemented obfuscated (white-box) DES and triple-DES algorithms along the lines of Chow et al., with alterations that improve the security of the key.

### Structural Cryptanalysis of SASAS

- Mathematics, Computer ScienceJournal of Cryptology
- 2010

It is shown that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what is called a multiset attack, even when all the S- boxes and affine mappings are key dependent (and thus completely unknown to the attacker).